Allow the provider to configure default secrets for default backends. (…

…#12)
metal-stack · Nov 21, 2023 · 95b6f4e · 95b6f4e
1 parent 67d88e7
commit 95b6f4e
Show file tree

Hide file tree

Showing 7 changed files with 126 additions and 26 deletions.
diff --git a/charts/gardener-extension-audit/templates/configmap.yaml b/charts/gardener-extension-audit/templates/configmap.yaml
@@ -22,3 +22,18 @@ data:
     defaultBackends:
 {{- toYaml .Values.config.defaultBackends | nindent 6 }}
 {{- end }}
+
+{{- range $secret := .Values.config.defaultBackendSecrets }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default-backend-secret-{{ $secret.name }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+{{ include "labels" $ | indent 4 }}
+data:
+{{- range $key, $value := $secret.data }}
+  {{ $key }}: {{ $value | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/gardener-extension-audit/templates/deployment.yaml b/charts/gardener-extension-audit/templates/deployment.yaml
@@ -50,6 +50,12 @@ spec:
         - --log-level={{ .Values.logLevel | default "info" }}
         - --log-format={{ .Values.logFormat | default "json" }}
         env:
+        - name: BACKEND_SECRET_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: BACKEND_SECRET_PREFIX
+          value: default-backend-secret-
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:
             fieldRef:

diff --git a/charts/gardener-extension-audit/values.yaml b/charts/gardener-extension-audit/values.yaml
@@ -43,5 +43,10 @@ config:
 
   defaultBackends:
 
+  defaultBackendSecrets:
+    # - name: my-secret
+    #   data:
+    #     my-key: my-value
+
 gardener:
   version: ""
diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml
@@ -5,7 +5,7 @@ metadata:
   name: audit
 type: helm
 providerConfig:
-  chart: H4sIAAAAAAAAA+0caW/bOLaf9SsIdwZogZXkOwMB3d20zcwE0yZB0s1gsVgEtETbmkiihqJybNv/vo+HZEqWLTtJk2lrIoBtiu8g+W5SmWEWkIQwm9xwkmQhTWycByF3nz1c60LbG43kJ7T6p/zeGwx7/VF/PBb9veFw3H2GRg/Iw8qWZxwzhJ4xSvm6cW3Pv9I2W7X/b+aYcecWx9G9aYgNHg+HK/e/3x3U9n88hA/UfYD5tbbvfP9xGp4TJvbdQ1c9C6fp4mfX6TldKyCZz8KUy7599CuJYuQL4UBTyhCfEyQFBpUCZCU4Jh5aJVnWVY3AUy/Bd91W6n9AfWdGH4RGm/4Px72a/o+g7fT/MZrrzqg3ExKAOUHZHNk+6jiOC39XJAkoc2chn+cTx6exWwjL4ssc+5duAW77NOGMRhGIEyOzMOPQCxLlAFplIxz0wwsfw6ckcH5wenZ4fPRS/yQ3OE4j4q7CInwROijE1JMYO5bluugEuMAzos0SSfAkIhmqTCxPU6pNlu4Mk5m0Xj5ljPgcLciiClkrNbF/a9Zqpf5zApsBS5fdPxLcPv4bD0fjXfz3GG2D/b+YkygFn+3w9G6xYIv97/V7o+r+97t7e3s7+/8Y7eNHGwVkGiYEdUTc1kH258/WythNDAe3IAdZJmyEJyTKHIgfnUtyq7DIH/mEsISAHDkhdQWFCo4VKK5wlGtWPn5EYeJHeVAy6CANuIaRZdg6gwKLh1aM0PQlpeVZhAnITOITCe6ckojgjDhHwFwjZyVrYQxuRHGGkHgSTtEcZycMnt+gTjbH/dHYA7LngjyQEuMdjmeohEhZmPAp6vyY/fPHrD6SkZRmIafsdh0KmCNpQujdGSFM1ph3fUMCkkb0NiYJ14F/KRyZCxmHuVxPrQzfYdvA/kNgNA1nMU5tuflXECxRZlPYzWsWctJeI2iP/2v5P6jBYGf/H6VpM1RR73O5w8fFBisjWCkTXIZJ4KE3UjDe49SKCccB5tgDk6Cy/2az3SxBGiiDQLvBpspuZW2UhfYa7LpA/wk6QZY5GorRBTuSYnZRFVcPfRJI1s66is6wbk+9ZQ/attH/u1YDW/S/3+3W47/eoNvf6f9jtIdS7FJIvqgyKyqlCiNotm3LT3MiUoIdwXvklHKdORq6EHnHj2geQAyCo3SOexJLOX9dClArkatSgFUzlhqfH4XAKIxMwILAMDU9YLbW78le4NT3SSr6gTH+4TYlmVwnRv7MQ0YC1GnB7ywjQGFWwnfa+GuC1yzLFS56t+TKgNyOHROw5OPPdNtVAYjt6AqAkt4kZxnfkqKE2Y6mAlmKlhukCsJnnEf8NfYvYVzJaa3bk4g4/beojbVg+IQSrVPjb9mj7do2bQP/v0jg7hgAtPj/vVF3XPf/o8HO/z9Kq7hNnZIrJ/i23PaNo4Av4vuzlPiCMCNXoeDz1zATFYl3YRyCwe7KJ2kU+lg5jMII6s43NE+4IpoBLyLEV344xtyfv9uMj7FCUKiERmAsinTrSUK5jBOyoqus8rSlV8Vwf078yyyPjZxbamNz3lTZhheykoN+cD5oLp3XsPAnmM9RZ6MUvvNSTllVoYAHky/DV6xhdW1oeAdmW9gqhKjgKCH8mjIQ3qUQj1ObgRiEMbFB3jPCYOIg7lFEr0mwGXwAu7oOgpGM5syHPV6GBTA7m4P9yGxRSFzwYHM/tYfDwUNgVnJyTSbw89KeKKcvCfQhw1pQaBH1n4r1LdSuCApxCJTL1bbb7IBqUto81Knn2mZl8fNnb+mxqi92qnhO8ig6oaDUtxVFVxBp+bAipDSOMRizssNG7sra9mKMrWX2lUu47zbPUYupa6QkFQwxvhFY/JwxWFebEfEjjEj2yuB9ceYov+vBZ7eJn5nTEPjmBEd8LrVue9wGcBudcJZQRmyaEpX02Au7tgq7AjkuIPZLgDruQjrVmtmlr3i1xlWshNYqJI51Tcb0KJW4OWrQiTj6rWELwkwcExtn1pXV048XmaCIn/+gYYI6f+vUTaNh4cErsNDPmijqR/YEVM3GQQCKnb0yZX8FbIPxrRFV29tEUz1ZTbIZsp1iaYp0Tb9Ot1Qy/dxc2nWwDZQFuojO7AjcVmTigc53og82Rqc6qBMmU9ppgp5SBh6/Bv6z7DTh/8jE+YQBT5Ir03ooq/fuYP/twenFwbuDNx8Oj48ujvbfH5yd7L85KEciJI+QfmY09oxOhKYhiYJTMq326n7hAL0ysHBK/bhrOFHwe/h+/5eDc2D2+PTi+Pzg9PfTww9LvHrIlTccjFqp21g8XbdZQhuz5QUrVFepo0G59CxCBCtmfRM9BnqMcurTyEMf3pzU6zOl5zRhyk4Z9dUy5wXEIlnudWvZcrlqNMpj8l4EmA1TVlbKYDUWA9UOt7uV++74qjp7EzNLu26MYwQHx0kEHpeznKzeebE/oU/2fV8gPmqPDZ4jPJ2GSchvvbJHiE+wD3HafsMjVFZZ3uYQPM7OwJsFeQTfDqX70d0HN8TPzWrbc70uMtY5q6QAxUO5ICIdOLhJhYU0Q/jFCBtdktuVJ8blmfISHELKlwJVdJg0PJba10BQkNzgfLoKxmlKwbLd/iZ47VTPrec043IjNIwS4KWYriaBflEMNk3WxrXgomkL+54GADfsd/WjrcR7M+Hent82ZVnD+1dfQNug/gNKCdEQy+UV4EkezMiWhaC289/RcK9W/xkMh+Nd/ecxmlbAGUcvREbeVD15iXr1I+BUZlruVW8CsUpRMDqhwdtSTl5LOflrVI4gXfpXgq9wGImQXqLP8knrhO9dMfoaDMQG+s8m2L/XiyAt+j8YDpbu//VHO/1/lCaOT03NlpuNcz6nLPyfugB9+ZOMHhanwxGsGWGnNCLb6Pc2msvySMQl+sMWh7u/MJqnMlaxkXGmW62JWZX4Xgz1FbMZ/ADPPtG9wjTJoDDM1JdrodvLhHAQhzIerNwIVwuyTCvOubxWrlMX3zw73owB8S1PYUGJYh7Cb/01bWZwi5VYDK39dEEDeL45g2md1SWuVpUsG5YMJxB7BWXvxkwYS2Ms2IK1AEx3E2udzjITGQFsXC1LGbs+DSulE7yjwDbhhNA24TV863heQupTyoIwWS/80ltvRKVtDtuRK/plnFCTdF0Uh7GB8HCROoSv8mgwJhb5OQoScaDvAw8ZSAaJIaVCE4KweCtEZ4f/uJciAgGNv/ZzG0W8n91+DR1gqL6Y+QYSusZVLNMaDq3y2o3hWFr4gfjtD9hN6RwU8FmlAvEw4eZTO+dHaBvEf7q2c/cQsDX/6/Z37388UWu8/6d16a+RvXF5FU3bhsOTSlq22bl9WZS25VcPDYcDmdFVq8eyfIYZGNytitFPvYP3a5vrP1aW9Q5moE3/+8Pa+7/9/mA03On/Y7R1+l/40ic1A0+9QN94W6n/6lTiQf4BSIv+9/b2RvX3f8e79/8fp6kbOjJJKW7keGg295lIHeQNehsWSLzkv/raDMczD0lfIX6lxjWdw+kR5SeQ/4hbhJZZY/VQz1rkRejjZ8sybmLou/7mPRUPjaDTuMiiirKrRjE+gdxTjYGn5PowgfABhPpMXJYJYOBAnOOsvLrioSmOMmJZyxdBPPSf/xbdv6vAQPVB8th0gCXeVBDHc+ow3ZPfi6OsFOeZuoMiT8EtdYynluXU3JHFP2FYnOmZXycRnbgxFjGSO8nDKHAlavct9S8Jm4aQUhWnqAZWtc0zSmcRuVjc8lKwNo6D8VCDyT3uDJxuR3eU/8Wl5/R6zs3XPave0qw6f38lZtZXDxzHsaxKEOhZ6tC7uLkgQkrLLx81v/vR9OYHTqVSiEGuuH1SSPXiLYzGEfL9iF5XnUXqlxd6INJWwysC5evcnmXOsLPzrbu2a993+z8x0a2pAFAAAA==
+  chart: H4sIAAAAAAAAA+0ca2/bOHI/61cQ3i7QAiv57S4E9O7S1N0Ntk2CpNe9w+EQ0BJtayOLWkrK49r97zd8SKZkybKTNNnuchDANsV5kJwZzgypLDDzSUSYTW5SEiUBjWyc+UHa/ebhoAfwcjwWnwDVT/G9Pxz1B+PBZMLb+6PRpPcNGj+gDI2QJSlmCH3DKE239Wt7/pXComn9D5eYpc4tXoX35sEXeDIaNa7/oDesrP9kBB+o9wDja4W/+PrjOPhIGF93F131LRzH6589p+/0LJ8kHgviVLQdoJ9IuEIeVw40pwylS4KEwqBCgawIr4iLmjTLuqoweOop+EtDo/371HMW9EF4tNn/aNKv2P8YwNj/Y0C3u6DugmsATglKlsj2UMdxuvB3RSKfsu4iSJfZzPHoqpsry/rLEnuX3Rzd9miUMhqGoE6MLIIkhVbQKAfISh/hoGfPPQyfgsHH6dn50cnxC/WT3OBVHJJuExW+F6FprqauoNixrG4XnYIUeEGUWyIRnoUkQaWBZXFMlctSjUG0EN7Lo4wRL0VrtqjE1op16n82b9Vo/ymBxYCpS+4fCe4f/01G44mJ/x4Ddlj/iyUJY9iznTS+WyzY4v/7g/64vP6D3suXL43/fwz49MlGPpkHEUEdHrd1kP3771Zj7Ma7w7YgOlk6bohnJEwciB+dS3IrqYgf2YywiIAeOQHtcg4lGg0krnCYKVE+fUJB5IWZXwjoIIW4RZBN3KqAnIqLGnoo/oLT5iiCCHQm8ohAd85ISHBCnGMQrlayQrRgBduIlAwh/iSYoyVOThk8v0GdZIkH44kLbD9y9sCK93dSvEAFRsyCKJ2jznfJP75Lqj0ZiWkSpJTdbiMBYyR1BN07E4TBauOuLohP4pDerkiUqsC/UI6kCxmHPl1PbQx/QdjB/0NgNA8WKxzbYvGvIFiizKawmtcsSEl7jaA9/q/k/2AGQ+P/HwWUGyqZ90exwif5AksnWCoTXAaR76JDoRjvcWytSIp9nGIXXILM/uvddr0GKaQEAu0anyqapbeRHtqt8euc/GdoBF1O0Yj3zsURHJOLsrq66DMnsnXUZXKad3vqJXtQ2Mf+71oNbLH/wXg4qdh/f9gfGvt/DHgowy6U5Isas+RSmDACsG1bfOoDERrscNlDp9DrxFHYuco7XkgzH2IQHMZL3BdUivGrUoCciUyWAqyKs1T0vDAAQaFnBB4EusnhgbCVdle0gqSeR2LeDoKlH25jkoh5YuS3LGDER50W+s4mARQkBX6nTb46fCWymOG8dU+pNMz9xNERCzl+i/edFcDYjy9HKPjNMpake3IUOPvxlCgb0XKNVkH4jLMwfY29S+hXSFppdgWhlP6b18ZaKHxGkbKpSV28znC0IOhZQjxGUuS+2k7uXHQTYnELrHUjsk+ND1Gk7JmkZUueNsyDYu9EKpmqOpNnd/Emz2q9iTZmSAi/R89E0scHngvB++VpjuiUp4yq62c0m4xI5FVm86sKFXbY/9cJ3B0DgO37f59HANX9fzww53+PAqVtU6Xk0nrfFMu+cxTwRfb+JCYeZ8zIVcDl/ClIeEXiXbAKwGH3xJM4DDwsN4zca6nGQ5pFqWSagCw8xJf78Aqn3vLdbnJMJIHcJBQBbVLEth5FNBVxQpI3FVWetvQq7+4tiXeZZCst5xbWWJ83lZbhuajkgIP8oKR0XsPEn+J0iTo7pfCdF2LIsgoFMuhyaS5ti6hbQ8M7CNsiVq5EuUQRSa8pA+XdCPFSajNQg2BFbND3hDAYOKh7GNJr4u+G78OqbsNgJKEZ82CNN3EBzU6W4D8SmxcS1zLYqRfbo9HwIShLPbkmM/h5WeysnMGgN+itObSo+g/5/OZmlweFOADOxWzbbX5AgtA2F3WqubZeWYQ9deOxrC92ynROszA8pWDUtyVDlxhx8bCkpHS1wuDMigYbdRtr2+s+ttLZV12Set36MSo17WopSYnCCt9wKl7GGMyrzQj/EYQkeaXJvj5zFN9V5/PbyEv0YXB6S4LDdCmsbn/aGnIbn2ARUUZsGhOZ9Nhrv9ZEXaKc5BgHBUKVdq6dcs7sYq94tWWraMRWJsSPdXXBVC+ZuDmy0yk/+q1Q84OEHxNrZ9al2VOP15kgj59/pUGEOt93qq5R8/CwK7DAS+o4qkf2DEzNxr4Php280nW/AbfG+VaYyuWt4ymfNLOsx2znWLgiVdOv8i2MTD3Xp3Ybbg1nTi6kCzuEbSvU6UDjO94GC6MSCtQJojnt1GHPKYMdv4L+VjTq+L8m/HxCwyfRle49pNd7fXD48/T4zcX59PBs+uHi+OD99Pz04HBadERIZAhvGV25WiNC84CE/hmZl1tVO9//3CKucArzaON/ejZ9e/SvKvPGNGuD3LvpwZvp2cX03fTww9HJ8eONZ8/oKJf36P3Bj9OPIOzJ2cXJx+nZL2dHHzZkdVFXXNjQSr/d2lrwNt3jziXZXP/cE0nvonEuNkpuUaVdahe3BPwYTalHQxd9ODytlpuKQEDHKRpFEFspBKwx1rl/v1fJUYtZo2G2Iu95vFwzZOl0NVFXvKNc4fZd8r4r3nRsUCfMxqpr/RjB/kkUQgCRsow0rzxfn8AjB57HCR+3hzrfIjyfB1GQ3rpFC1cf/wDCzoOaR6goGr3JIBZenMPm7GchfDsSu6lqnt4QL9OLh9+qeRGh23kpo8kfignh2c30JuYOX89I1j1sdEluGw/AiyPyDTyEZGgAXNFRVPNYWF8NQ85yh+P2MlpKYwqO+vZnLmunfAy/pEkqFkLhSAXeCFErGujltW3dZe1c2s5Budb31Ae80aCnHu2l3rsp9/7ythnLFtm/mrKVgQeCHep/4MUgGmaZuAI+y/wF2bMQ2Hb+Px69rNT/hqPRxNT/HgOUx1qk6DmvyNRVz16gfvUKQCwy7e5VfwbBXV4wPKX+m0JPXgs9+WNUDiFd/meEr3AQ8pROkE+yWeuA710x/Bo86g72zyB/uNeLQC32PxwNN+5/DsbG/h8Fqod3YrFxli4pC/4nL8Bf/iDCrfXtgBDmjLAzGpJ97Hsfy2VZyAM59WHzw/0fGc1iEdzZSDvTL9dErVJCxLt6UtgEfkAoNFOt3DWJKDpI5JdrbtubjLC/CkQAXXojQE7IJq9VlorXClSu5+l3B3YTgH/LYphQIoWHfEV9jesF3GMm1l0rP7tgAWm2u4BxVdQNqZpK1jVThiMIVv2idWchtKnRJmwtmg+uu060TmdTCFkXkdNSBPtPI0qxCd5RYetoQi4QpRV622TeIOpRyvwg2q78YrfeiUvbGPZjl7eLOKGi6epQBPr6fIcL5SWMsoyaYHySv0V+xC90eCBDAppBVpCDohlBmL8VpNLpv9/LEIGBol/5uY8h3s9vv4YGcFRfzH0DC1UUzKdpi4RWce1K21ha5IH47VdYTbE55JdN9JLNw4SbT705PwLsEP+pYtjdQ8DW/K83MO//PBE0XNwSK/7HyN5ScRVR+Yaj01Jattu9jaKKb4uvLhqNhiKjK5fbRb0RM3C4e1Xvn3oF7we72z+WnvUObqDN/gejyvvfg8FwPDL2/xiwzf7zvfRJ3cBTT9CfHBrtXx7jPMg/gGl7/6M/GFTf/56MzP3PRwF5Q0skKfmNLBctlh7jqYN4g8KGCeL/5KH52lSKFy4SewX/FWvXtI7mxzQ9hfyH3yK19Bqri/rWOi9Cn363LO0mjnrXQ7+n5KIxNGoXmWRRtqkXS2eQe8o+8JRcH0UQPoBSn/PLUj50HPKDr8arSy6a4zAhlrV5EchF//lv3vyLDAxkGySPdSd+/E0Vfp4pbx+44nt+9hfjLJF3kMS1AUuee8ppOdNXZP1PONaHoPrXWUhn3RXmMVJ3lgWh3xWku2+od0nYPICUKj921qjKZV5QugjJxfqWn8S18cqfjBSaWOPO0Ol1VEPxX3z6Tr/v3Hzdo+pvjKrzt1d8ZAP5wHEcyyoFga4lbwnkVz14SGl5xaP6d3/q3vzBsTAK3qnLbx/lWr1+C6e2h3g/pt+Th7fq5ZU+qLRV84rIRpt6eUMKlS/a6lZdELLUMbF2txnxp+K+AHyKncEq/keAa+nT1jEbtgEDBgwYMGDAgAEDBgwYMGDAgAEDBgwYMGDAgAEDBgwYMGDAgAEDBgwYMGDAwBeF/wMzaYDUAHgAAA==
   values:
     image:
       tag: v0.1.0

diff --git a/example/kustomize/patch-deployment.yaml b/example/kustomize/patch-deployment.yaml
@@ -13,3 +13,16 @@ providerConfig:
     #   defaultBackends:
     #     clusterForwarding:
     #       enabled: true
+
+        # splunk:
+        #   enabled: true
+        #   index: <splunk index>
+        #   host: splunk-endpoint.example.com
+        #   port: "443"
+        #   secretResourceName: splunk
+        #   tls: true
+
+      # defaultBackendSecrets:
+      #   - name: splunk
+      #     data:
+      #       token: test
diff --git a/pkg/apis/audit/v1alpha1/defaults.go b/pkg/apis/audit/v1alpha1/defaults.go
@@ -24,10 +24,10 @@ func SetDefaults_AuditConfig(a *AuditConfig) {
 		a.Replicas = pointer.Pointer(int32(2))
 	}
 
-	defaultBackends(a.Backends)
+	DefaultBackends(a.Backends)
 }
 
-func defaultBackends(backends *AuditBackends) {
+func DefaultBackends(backends *AuditBackends) {
 	if backends == nil {
 		return
 	}

diff --git a/pkg/controller/audit/actuator.go b/pkg/controller/audit/actuator.go
@@ -3,6 +3,7 @@ package audit
 import (
 	"context"
 	"fmt"
+	"os"
 	"path"
 	"time"
 
@@ -77,16 +78,13 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, ex *extension
 		}
 	}
 
-	if auditConfig.Backends == nil {
-		auditConfig.Backends = &v1alpha1.AuditBackends{
-			Log: &v1alpha1.AuditBackendLog{
-				Enabled: true,
-			},
-		}
+	backends, defaultBackendSecrets, err := a.applyDefaultBackends(ctx, log, auditConfig.Backends)
+	if err != nil {
+		log.Error(err, "unable to apply default backends configured by operator, continuing anyway but configuration of this extension needs to be checked")
+	} else {
+		auditConfig.Backends = backends
 	}
 
-	auditConfig.Backends = a.applyDefaultBackends(log, auditConfig.Backends)
-
 	namespace := ex.GetNamespace()
 
 	cluster, err := controller.GetCluster(ctx, a.client, namespace)
@@ -96,14 +94,9 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, ex *extension
 
 	splunkSecret := &corev1.Secret{}
 	if pointer.SafeDeref(auditConfig.Backends.Splunk).Enabled {
-		secretRef := helper.GetResourceByName(cluster.Shoot.Spec.Resources, auditConfig.Backends.Splunk.SecretResourceName)
-		if secretRef == nil {
-			return fmt.Errorf("splunk secret resource with name %q not found in shoot resources", auditConfig.Backends.Splunk.SecretResourceName)
-		}
-
-		err = controller.GetObjectByReference(ctx, a.client, &secretRef.ResourceRef, namespace, splunkSecret)
+		splunkSecret, err = a.findBackendSecret(ctx, cluster, defaultBackendSecrets, auditConfig.Backends.Splunk.SecretResourceName)
 		if err != nil {
-			return fmt.Errorf("unable to get referenced splunk secret: %w", err)
+			return err
 		}
 
 		_, ok := splunkSecret.Data[v1alpha1.SplunkSecretTokenKey]
@@ -119,30 +112,61 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, ex *extension
 	return nil
 }
 
-func (a *actuator) applyDefaultBackends(log logr.Logger, backends *v1alpha1.AuditBackends) *v1alpha1.AuditBackends {
+// applyDefaultBackends adds default backends configured by the operator to the audit config in case this backend is not explcitly defined by the user.
+// it returns the backends to which defaults were applied and a map of secrets that contains secrets referenced by the operator's default backends.
+func (a *actuator) applyDefaultBackends(ctx context.Context, log logr.Logger, backends *v1alpha1.AuditBackends) (*v1alpha1.AuditBackends, map[string]*corev1.Secret, error) {
+	var (
+		secrets   = map[string]*corev1.Secret{}
+		addSecret = func(secretName string) error {
+			secret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      os.Getenv("BACKEND_SECRET_PREFIX") + secretName,
+					Namespace: os.Getenv("BACKEND_SECRET_NAMESPACE"),
+				},
+			}
+
+			err := a.client.Get(ctx, client.ObjectKeyFromObject(secret), secret)
+			if err != nil {
+				return fmt.Errorf("unable to get default backend secret: %w", err)
+			}
+
+			secrets[secretName] = secret
+
+			return nil
+		}
+	)
+
 	if backends == nil {
 		backends = &v1alpha1.AuditBackends{}
 	}
 	defaultedBackends := backends.DeepCopy()
 
 	if a.config.DefaultBackends == nil {
-		return defaultedBackends
+		// no default backends configured by the operator, nothing needs to be defaulted
+		return defaultedBackends, secrets, nil
 	}
 
 	if a.config.DefaultBackends.Log != nil && backends.Log == nil {
-		log.Info("configuring default backend for log")
+		log.Info(`configuring default backend "log"`)
 		defaultedBackends.Log = a.config.DefaultBackends.Log
 	}
 	if a.config.DefaultBackends.ClusterForwarding != nil && backends.ClusterForwarding == nil {
-		log.Info("configuring default backend for cluster forwarding")
+		log.Info(`configuring default backend "cluster forwarding"`)
 		defaultedBackends.ClusterForwarding = a.config.DefaultBackends.ClusterForwarding
 	}
 	if a.config.DefaultBackends.Splunk != nil && backends.Splunk == nil {
-		log.Info("configuring default backend for splunk")
+		log.Info(`configuring default backend "splunk"`)
 		defaultedBackends.Splunk = a.config.DefaultBackends.Splunk
+
+		err := addSecret(defaultedBackends.Splunk.SecretResourceName)
+		if err != nil {
+			return defaultedBackends, secrets, err
+		}
 	}
 
-	return defaultedBackends
+	v1alpha1.DefaultBackends(defaultedBackends)
+
+	return defaultedBackends, secrets, nil
 }
 
 // Delete the Extension resource.
@@ -170,7 +194,7 @@ func (a *actuator) createResources(ctx context.Context, log logr.Logger, auditCo
 		return err
 	}
 
-	secrets, err := a.generateSecrets(ctx, log, cluster)
+	secrets, err := a.generateCerts(ctx, log, cluster)
 	if err != nil {
 		return err
 	}
@@ -235,7 +259,7 @@ func (a *actuator) deleteResources(ctx context.Context, log logr.Logger, namespa
 	return nil
 }
 
-func (a *actuator) generateSecrets(ctx context.Context, log logr.Logger, cluster *extensions.Cluster) (map[string]*corev1.Secret, error) {
+func (a *actuator) generateCerts(ctx context.Context, log logr.Logger, cluster *extensions.Cluster) (map[string]*corev1.Secret, error) {
 	const (
 		caName = "ca-audittailer"
 	)
@@ -1079,6 +1103,43 @@ func shootObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.
 	}, nil
 }
 
+func (a *actuator) findBackendSecret(ctx context.Context, cluster *extensions.Cluster, defaultBackendSecrets map[string]*corev1.Secret, secretName string) (*corev1.Secret, error) {
+	fromShootResources := func() (*corev1.Secret, error) {
+		secretRef := helper.GetResourceByName(cluster.Shoot.Spec.Resources, secretName)
+		if secretRef == nil {
+			return nil, nil
+		}
+
+		secret := &corev1.Secret{}
+		err := controller.GetObjectByReference(ctx, a.client, &secretRef.ResourceRef, cluster.ObjectMeta.Name, secret)
+		if err != nil {
+			return nil, fmt.Errorf("unable to get referenced secret: %w", err)
+		}
+
+		return secret, nil
+	}
+
+	secret, err := fromShootResources()
+	if err != nil {
+		return nil, err
+	}
+
+	if secret == nil {
+		// if the secret is not referenced in the shoot resources it may be defined in the default backend secrets
+		if len(defaultBackendSecrets) > 0 {
+			var ok bool
+			secret, ok = defaultBackendSecrets[secretName]
+			if !ok {
+				return nil, fmt.Errorf("secret resource with name %q not found in default backend secrets", secretName)
+			}
+		} else {
+			return nil, fmt.Errorf("secret resource with name %q not found in shoot resources", secretName)
+		}
+	}
+
+	return secret, nil
+}
+
 func getReplicas(cluster *extensions.Cluster, wokenUp *int32) *int32 {
 	if controller.IsHibernated(cluster) {
 		return pointer.Pointer(int32(0))